Windows OS Hub
  • Windows
    • Windows 11
    • Windows Server 2022
    • Windows 10
    • Windows Server 2019
    • Windows Server 2016
  • Microsoft
    • Active Directory (AD DS)
    • Group Policies (GPOs)
    • Exchange Server
    • Azure and Microsoft 365
    • Microsoft Office
  • Virtualization
    • VMware
    • Hyper-V
  • PowerShell
  • Linux
  • Home
  • About

Windows OS Hub

  • Windows
    • Windows 11
    • Windows Server 2022
    • Windows 10
    • Windows Server 2019
    • Windows Server 2016
  • Microsoft
    • Active Directory (AD DS)
    • Group Policies (GPOs)
    • Exchange Server
    • Azure and Microsoft 365
    • Microsoft Office
  • Virtualization
    • VMware
    • Hyper-V
  • PowerShell
  • Linux

 Windows OS Hub / Active Directory / AD Domain Join: Computer Account Re-use Blocked

March 16, 2025 Active DirectoryWindows 11Windows Server 2022

AD Domain Join: Computer Account Re-use Blocked

When attempting to join a computer to an Active Directory domain, an error may occur:

Error 0xaac (2732): NERR_AccountReuseBlockedByPolicy:
An account with the same name exists in Active Directory. Re-using the account was blocked by security policy.

An account with the same name exists in Active Directory. Re-using the account was blocked by security policy

This behavior is caused by Windows updates released in October 2022 that improved the security of reusing existing computer accounts in Active Directory. These updates prevent a device from joining an AD domain by using an existing (pre-created) computer account (to help protect against critical vulnerability CVE-2022-38042). Exceptions are cases when:

  • The user account that created the computer object in AD is used to perform the domain join.
  • Computer was created by a member of the Domain Admins group
  • The user is a member of the Domain Administrators, Enterprise Administrators, or built-in Administrators.
  • User account added to the GPO option Domain controller: Allow computer account re-use during domain join (this policy option was introduced in March 2023)

When a computer is joined to a domain, a series of checks are performed to prevent access to the existing computer object in the domain if the user does not meet the above conditions.

Check the domain join log on the client (C:\Windows\debug\NetSetup.LOG). It should contain the following lines:

NetpGetComputerObjectDn: Crack results: (Account already exists) DN = CN=wks0001,CN=Computers,DC=woshub,DC=loc
NetpGetADObjectOwnerAttributes: Looking up attributes for machine account: CN=wks0001,CN=Computers,DC=woshub,DC=loc NetpGetADObjectOwnerAttributes: Ms-Ds-CreatorSid is empty. NetpManageMachineAccountWithSid: NetUserAdd on 'h-dc01.woshub.loc' for 'WKS0001$' failed: 0x8b0 NetpManageMachineAccountWithSid: The computer account already exists in Active Directory. Re-using the account was blocked by security policy.

NetSetup.LOG NetpManageMachineAccountWithSid: The computer account already exists

An event with event ID 4100 or 4101 should also appear in the System log in Event Viewer:

During domain join, the domain controller contacted found an existing computer account in Active Directory with the same name.
An attempt to re-use this account was permitted.
Domain controller searched: \\h-dc01.woshub.loc
Existing computer account DN: CN=wks0001,CN=Computers,DC=woshub,DC=loc

Event ID 4100: During domain join, the domain controller contacted found an existing computer account in Active Directory with the same name.

The simplest workaround is to rename the computer (hostname) or delete the previously created account with that name from AD. In this case, you can easily join the computer to the AD domain with a new name.

Delete existing computer object from AD

If you want to allow some non-admin users to join computers to existing accounts, you must configure a separate GPO for domain controllers.

  1. Create a security group in the AD domain and add users who can reuse computer accounts. For example, HQ_Allow_Domain_Join
  2. Open the domain Policy Management Console (gpmc.msc), create a new GPO, and link it to the Domain Controllers OU.
  3. Open the GPO and go to Computer Configuration -> Policies -> Windows Settings -> Security Settings -> Local Policies -> Security Options
  4. Open the policy Domain controller: Allow computer account re-use during domain join.
  5. Enable the policy. Then click Edit Security and add the previously created group of trusted users who will be allowed to join computers to the domain GPO: Domain controller: Allow computer account re-use during domain join
    To enhance security, keep the number of members in this group to a minimum.
  6. Wait for the GPO settings to be updated on the DC, or update them immediately with the command gpupdate /force
  7. The policy changes the value of the computeraccountreuseallowlist parameter in the HKLM\SYSTEM\CurrentControlSet\Control\SAM registry key on the DC. Its value will contain a list of the groups you have added (in SDDL format). computeraccountreuseallowlist registry option
  8. Verify that the members of this group have been delegated AD permissions to manage computer accounts in the target OU.

AD delegated permissions to manage computer objects

Now, users in this group can use existing computer accounts when joining devices to the domain.

successfully domain join

Check the NetSetup.LOG log:

NetpCheckIfAccountShouldBeReused: Account re-use attempt was permitted by Active Directory Policy.
NetpCheckIfAccountShouldBeReused:fReuseAllowed: TRUE, NetStatus:0x0

NetpCheckIfAccountShouldBeReused: Account re-use attempt was permitted by Active Directory Policy.

If the user still cannot add the computer to the domain after applying the specified settings, check the C:\Windows\debug\NetSetup.LOG file for the following line:

Active Directory Policy check with SAM_DOMAIN_JOIN_POLICY_LEVEL_V2 returned NetStatus:0x5.

This indicates that the user does not have permission to remotely connect to the domain controller and check records in the SAM database. In this case, you must enable Network access: Restrict clients allowed to make remote calls to SAM security policy for DC and add your user group to it.

Domain controller GPO: Network access: Restrict clients allowed to make remote calls to SAM

Previously, Microsoft allowed the NetJoinLegacyAccountReuse registry key to be used to ignore new security settings that prevent the reuse of existing computer accounts.

reg add HKLM\System\CurrentControlSet\Control\Lsa /v NetJoinLegacyAccountReuse /t REG_DWORD /d 1 /f

However, support for this registry setting was removed in the August 2024 updates, and this option no longer works.

0 comment
1
Facebook Twitter Google + Pinterest
previous post
How to Write Logs to the Windows Event Viewer from PowerShell/CMD
next post
Exclude a Specific User or Computer from Group Policy

Related Reading

WMIC Command Not Found on Windows

May 20, 2025

Configuring Windows Protected Print Mode (WPP)

May 19, 2025

Unable to Map Drive: An extended error has...

May 13, 2025

Map a Network Drive over SSH (SSHFS) in...

May 13, 2025

Configure NTP Time Source for Active Directory Domain

May 6, 2025

Leave a Comment Cancel Reply

join us telegram channel https://t.me/woshub
Join WindowsHub Telegram channel to get the latest updates!

Recent Posts

  • Map a Network Drive over SSH (SSHFS) in Windows

    May 13, 2025
  • Configure NTP Time Source for Active Directory Domain

    May 6, 2025
  • Cannot Install Network Adapter Drivers on Windows Server

    April 29, 2025
  • Change BIOS from Legacy to UEFI without Reinstalling Windows

    April 21, 2025
  • How to Prefer IPv4 over IPv6 in Windows Networks

    April 9, 2025
  • Load Drivers from WinPE or Recovery CMD

    March 26, 2025
  • How to Block Common (Weak) Passwords in Active Directory

    March 25, 2025
  • Fix: The referenced assembly could not be found error (0x80073701) on Windows

    March 17, 2025
  • Exclude a Specific User or Computer from Group Policy

    March 12, 2025
  • AD Domain Join: Computer Account Re-use Blocked

    March 11, 2025

Follow us

Popular Posts

  • Refresh AD Groups Membership without Reboot/Logoff
  • How to Find the Source of Account Lockouts in Active Directory
  • How to Refresh (Update) Group Policy Settings on Windows
  • Allow Non-admin Users RDP Access to Windows Server
  • Configuring Windows Firewall Rules Using Group Policy
  • Get-ADDomainController: Getting Domain Controllers Info via PowerShell
  • How to Disable NTLM Authentication in Windows Domain
  • Facebook
  • Twitter
  • Telegram
Popular Posts
  • Check Windows 11 Hardware Readiness with PowerShell Script
  • Extend an Expired User Password in Active Directory
  • Exclude a Specific User or Computer from Group Policy
  • Error: The Specified Domain Doesn’t Exist or Couldn’t Be Contacted
  • Unlocking Active Directory User Accounts
  • How to Block Common (Weak) Passwords in Active Directory
  • Configure NTP Time Source for Active Directory Domain
Footer Logo

@2014 - 2024 - Windows OS Hub. All about operating systems for sysadmins


Back To Top